Dreamhost hijacking my prefix...
Andree Toonk
andree+nanog at toonk.nl
Fri Jan 11 16:46:57 UTC 2013
Hi,
Here's a quick summary of what we saw at BGPMon.net.
At 2013-01-11 14:14:13 we saw announcements (seemingly) originated by
26347, for prefixes normally announced by other ASn's (origin change /
hijack).
This seems to have affected 112 prefixes for 110 ASn's [1], including
Rogers, Tata, Sprint, Ziggo, Verizon, KPN, Vodafone, CloudFlare, XS4ALL,
AT&T, Bell Canada and many more.
Most of these were new more specific(!) announcements.
With regards to next-hop ASN's (peers). It seems this hijack was
propagated via 12 unique (AS26347) peers [1]
A quick look at the prefix that was mentioned by Jeff, 150.182.208.0/20
(more specific of 50.182.192.0/18)
The first announcement for this prefix was seen at 2013-01-11 14:14:28
and withdrawn at 2013-01-11 15:20:57. It was detected by 42 unique peers.
some example paths:
271 6939 26347
5580 26347|
37312 5713 6939 26347
1126 24785 12989 26347
[1] I've posted some details (Unique next-hop ASN's and affected origin
ASN's), check if your AS was affected here:
http://portal.bgpmon.net/data/hijack20130111.txt
Cheers,
Andree
.-- My secret spy satellite informs me that at 2013-01-11 7:23 AM Jeff
Kell wrote:
> Not sure how widespread their "leakage" may be, but Dreamhost just
> hijacked one of my prefixes...
>
>> ====================================================================
>> Possible Prefix Hijack (Code: 10)
>> ====================================================================
>> Your prefix: 150.182.192.0/18:
>> Update time: 2013-01-11 14:14 (UTC)
>> Detected by #peers: 11
>> Detected prefix: 150.182.208.0/20
>> Announced by: AS26347 (DREAMHOST-AS - New Dream Network, LLC)
>> Upstream AS: AS42861 (PRIME-LINE-AS JSC "Prime-Line")
>> ASpath: 8331 42861 42861 42861 26347
>
> Anyone have a contact there? ASinfo gives netops at dreamhost.com where I
> have submitted a report, but so far no joy...
>
> Jeff
>
>
>
More information about the NANOG
mailing list